Best practices to mitigate security threats

By Mouli Srinivasan

Your firewall is the first line of defense against security threats, but as you may already know, simply adding firewall devices to your network doesn’t ensure your network is secure; you need to regularly analyze your firewall’s syslog and configuration as well as optimize its performance in order to protect your network. The heart of any firewall’s performance is its rules and policies. If not managed properly, these can leave your network vulnerable to attacks.

GARTNER PREDICTS THAT 99% of exploited vulnerabilities will continue to be ones known by security and IT professionals for at least one year. Gartner concludes that the best and cheapest way to mitigate cyberattacks caused by known vulnerabilities is by removing them altogether, with regular patching.

For many security admins, maintaining optimal rule performance is a daunting task. Businesses are demanding that networks perform faster, leaving security admins balancing on the thin line separating speed and security. With these challenges in mind, here are some firewall best practices that can help security admins handle the conundrum of speed vs security.

Document rules

It’s critical for everyone in an IT team to have visibility over all the rules that have been written. Along with the list of rules, it’s important to record:

– The purpose of a rule
– The name of the security admin who wrote the rule along with date of creation
– The users/services affected by the rule
– The devices/interfaces affected by the rule

You can record this information as comments when creating a new rule or modifying an existing rule. The first thing you should do, if you haven’t already, is review all the existing rules and document the above information wherever possible. Though this might be a time-consuming task, you’ll only have to do it once, and it will end up saving security admins a lot of time in the long run when auditing and adding new rules.

Reduce over-permissive rules

It’s better to be safe than sorry. Thus, it’s good practice to start off writing firewall rules with a “deny all” rule. This helps protect the network from manual errors. You’ll want to avoid using over-permissive rules like “allow any” as this can put the network at risk.

Permissive rules give users more freedom, which can translate into giving users access to more resources than they need to perform business-related functions. This leads to two types of problems:

As years go by and new policies are defined by different security admins, the number of rules tends to pile up. When new rules are defined without analyzing the old ones, these rules become redundant and can contradict each other, causing anomalies that negatively affect your firewall’s performance. Cleaning up unused rules on a regular basis helps avoid clogging up your firewall’s processor, so it’s important to periodically audit rules as well as remove duplicate rules, anomalies and unwanted policies.

Maximize speed

Placing the most used rules on top and moving the lesser-used rules to the bottom helps improve the processing capacity of your firewall. This is an activity that should be performed periodically, as different types of rules are used at different times.

Penetration test

A penetration test is a simulated cyberattack against your computer system to check for exploitable vulnerabilities. Just like how cars undergo crash tests to detect flaws in the safety design, periodic penetration tests on your firewall will help you identify areas in your network’s security that are vulnerable.

Automate security audits

A security audit is a manual or systematic measurable technical assessment of the firewall. Given that it consists of a combination of manual and automatable tasks, auditing and recording the results of these tasks on a regular basis is essential. You need a tool that can both automate tasks and record results from manual tasks. This will help track how configuration changes impact the firewall.

End-to-end change management tool

The key to efficient policy management is an end-to-end change management tool that can track and record requests from start to finish.

A typical change procedure might involve the following steps:

– A user raises a request for a particular change.
– The request is approved by the firewall/ network security team, and all the details on who approves the request are recorded for future reference.
– After approval, the configuration is tested to confirm whether changes in the firewall will have the desired effect without causing any threat to the existing setup.
– Once the changes are tested, the new rule is deployed into production.
– A validation process is performed to ensure that the new firewall settings are operating as intended.
– All changes, reasons for changes, time stamps, and personnel involved are recorded.

A real-time alert management system is critical for efficient firewall management. You need to:

– Monitor the availability of the firewall in real time. If a firewall goes down, an alternate firewall needs to immediately go up so all traffic can be routed through this firewall for the time being.
– Trigger alarms when the system encounters an attack so that the issue can be quickly rectified.
– Set alert notifications for all the changes that are made. This will help security admins keep a close eye on every change as it happens.

Retain logs

You need to retain logs for a stipulated amount of time depending on which regulations you need to comply with. Below are some of the major compliance standards along with the retention period required for each regulation.

Different countries have different regulations for how long logs need to be stored for legal purposes. You should check with your legal team about which regulations your business needs to comply with.

Security compliance

Regular internal audits combined with compliance checks for different security standards are important aspects of maintaining a healthy network. Every company will follow different compliance standards based on the industry that business is in; you can automate compliance checks and audits to run on a regular basis to ensure you’re meeting industry standards.

Upgrade software and firmware

No network or firewall is perfect, and hackers are working around the clock to find any loopholes they can. Regular software and firmware updates to your firewall help eliminate known vulnerabilities in your system. Not even the best set of firewall rules can stop an attack if a known vulnerability hasn’t been patched.

Mouli Srinivasan is a product analyst at ManageEngine, a division of Zoho Corp., specializing in IT security.